Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Fail2Ban - SMTP fiters that helps me resolve attacked mail server with Postfix and Dovecot
## content of: /etc/fail2ban/jail.local
[mail-smtp]
enabled = true
logpath = /var/log/mail.log
filter = mail-smtp
maxretry = 1
action = iptables-multiport[name=mail-smtp, port="25,587", protocol=tcp]
## content of: /etc/fail2ban/filter.d/mail-smtp.conf
[Definition]
##
# May 15 07:19:07 mail postfix/smtpd[10583]: warning: unknown[185.3.133.174]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
# May 18 12:53:45 mail postfix/smtpd[10926]: warning: 41.222.52.105: address not listed for hostname na.cyberlogic.co.za
# May 15 06:26:01 mail postfix/smtp[29807]: B79961A8C29F: ***, relay=none, delay=0.02, delays=0.01/0/0.01/0, dsn=4.4.1, status=deferred (connect to ***.******.**[***.***.***.***]:25: Connection refused)
# May 15 06:26:34 mail postfix/smtp[30395]: 403CB1A8C751: *** status=deferred (host ******[***.***.***.***] said: 454 4.7.1 ***: Relay access denied (in reply to RCPT TO command))
# May 18 23:09:50 mail postfix/smtp[5844]: 808EB1A8C2B7: lost connection with mta7.am0.yahoodns.net[63.250.192.46] while sending RCPT TO
# May 18 23:53:16 mail postfix/error[32147]: 6E6431A8C2CE: to=<rgaz1018@aol.com> *** status=deferred (delivery temporarily suspended: connect to mailin-04.mx.aol.com[64.12.88.132]:25: Connection timed out)
# May 14 23:26:50 mail postfix/smtpd[31643]: warning: non-SMTP command from unknown[177.11.51.103]: From: sftjh@*******
##
failregex = warning: (?:.*\[<HOST>\]\:.*) SASL (PLAIN|LOGIN) authentication failed: .*$
warning: <HOST>: address not listed for hostname .*$
status=deferred \(connect to (?:.*\[<HOST>\]\:.*)(?:\d.\:.*) Connection refused\)$
status=deferred \(host (?:.*\[<HOST>\] said\:.*\:) Relay access denied \(.*RCPT TO.*\)\)$
lost connection with (?:.*\[<HOST>\].*) while sending RCPT TO$
status=deferred \(delivery temporarily suspended\: connect to (?:.*\[<HOST>\]\:.*)(?:\d.\:.*) Connection timed out\)$
warning: non-SMTP command from (?:.*\[<HOST>\]\:.*) From: .*$
ignoreregex =
@FlorianHeigl

This comment has been minimized.

Copy link

@FlorianHeigl FlorianHeigl commented Oct 23, 2020

thanks for sharing, this worked so much better than the other crap i'd tried before. after years(!) finally it does what it should.

@pida42

This comment has been minimized.

Copy link
Owner Author

@pida42 pida42 commented Oct 23, 2020

thanks for sharing, this worked so much better than the other crap i'd tried before. after years(!) finally it does what it should.

You are welcome...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment